java-sdk/.github/workflows/dependency-review.yaml at 1f66985e320bbf73680f486ce77f497a5b83b09f · opentdf/java-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Config documentation: https://github.com/actions/dependency-review-action?tab=readme-ov-file#configuration
name: 'Dependency Review'
on:
  pull_request: {}
  merge_group:
  workflow_call:
    inputs:
      fail-on-severity:
        description: "Minimum severity to fail job."
        default: "low"
        required: false
        type: string
      base-ref:
        description: "Base ref for building diff."
        default: ""
        required: false
        type: string
      head-ref:
        description: "Head ref for building diff."
        default: ""
        required: false
        type: string

jobs:
  dependency-review:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: "Skipping on merge queue event"
        if: ${{ github.event_name == 'merge_group' }}
        run: |
          echo "Skipping on merge queue event"

      - name: Checkout
        if: ${{ github.event_name != 'merge_group' }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: 'Dependency Review'
        if: ${{ github.event_name != 'merge_group' }}
        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
        with:
          fail-on-severity: ${{ inputs.fail-on-severity }}
          deny-licenses: >
            GPL-2.0,
            AGPL-1.0,
            AGPL-1.0-or-later,
            AGPL-1.0-only,
            AGPL-3.0,
            AGPL-3.0-only,
            AGPL-3.0-or-later,
            GPL-1.0,
            GPL-1.0+,
            GPL-1.0-only,
            GPL-1.0-or-later,
            CNRI-Python-GPL-Compatible,
            GPL-2.0+,
            GPL-2.0-only,
            GPL-2.0-or-later,
            GPL-2.0-with-GCC-exception,
            GPL-2.0-with-autoconf-exception,
            GPL-2.0-with-bison-exception,
            GPL-2.0-with-classpath-exception,
            GPL-2.0-with-font-exception,
            GPL-3.0,
            GPL-3.0+,
            GPL-3.0-only,
            GPL-3.0-or-later,
            GPL-3.0-with-GCC-exception,
            GPL-3.0-with-autoconf-exception,
            LGPL-2.0,
            LGPL-2.0+,
            LGPL-2.0-only,
            LGPL-2.0-or-later,
            LGPL-2.1,
            LGPL-2.1+,
            LGPL-2.1-only,
            LGPL-2.1-or-later,
            LGPL-3.0,
            LGPL-3.0+,
            LGPL-3.0-only,
            LGPL-3.0-or-later,
            LGPLLR,
            NGPL
          comment-summary-in-pr: on-failure
          base-ref: ${{ inputs.base-ref || github.event.pull_request.base.sha || github.event.repository.default_branch }}
          head-ref: ${{ inputs.head-ref || github.event.pull_request.head.sha || github.ref }}